From 29af5ef1cfba291c01c19b4ce551c30eb66e3d2a Mon Sep 17 00:00:00 2001 From: gu-gu-gu Date: Wed, 25 Dec 2019 18:35:15 +0800 Subject: [PATCH] fix cves --- CVE-2019-10894.patch | 46 ++++++++++++++++++++++ CVE-2019-10895.patch | 67 +++++++++++++++++++++++++++++++++ CVE-2019-10896.patch | 44 ++++++++++++++++++++++ CVE-2019-10899.patch | 39 +++++++++++++++++++ CVE-2019-10901.patch | 90 ++++++++++++++++++++++++++++++++++++++++++++ CVE-2019-10903.patch | 56 +++++++++++++++++++++++++++ wireshark.spec | 14 ++++++- 7 files changed, 355 insertions(+), 1 deletion(-) create mode 100644 CVE-2019-10894.patch create mode 100644 CVE-2019-10895.patch create mode 100644 CVE-2019-10896.patch create mode 100644 CVE-2019-10899.patch create mode 100644 CVE-2019-10901.patch create mode 100644 CVE-2019-10903.patch diff --git a/CVE-2019-10894.patch b/CVE-2019-10894.patch new file mode 100644 index 0000000..b8c4f02 --- /dev/null +++ b/CVE-2019-10894.patch @@ -0,0 +1,46 @@ +diff -Nurp wireshark-2.6.2/epan/dissectors/packet-gssapi.c wireshark-2.6.2-bak/epan/dissectors/packet-gssapi.c +--- wireshark-2.6.2/epan/dissectors/packet-gssapi.c 2018-07-18 15:39:22.000000000 -0400 ++++ wireshark-2.6.2-bak/epan/dissectors/packet-gssapi.c 2019-08-14 18:44:52.909000000 -0400 +@@ -370,16 +370,34 @@ dissect_gssapi_work(tvbuff_t *tvb, packe + } else { + tvbuff_t *oid_tvb_local; + +- oid_tvb_local = tvb_new_subset_remaining(gss_tvb, start_offset); +- if (is_verifier) ++ if (is_verifier) { + handle = oidvalue->wrap_handle; +- else ++ if (handle != NULL) { ++ oid_tvb_local = tvb_new_subset_remaining(gss_tvb, start_offset); ++ len = call_dissector_with_data(handle, oid_tvb_local, pinfo, subtree, encrypt_info); ++ if (len == 0) ++ return_offset = tvb_captured_length(gss_tvb); ++ else ++ return_offset = start_offset + len; ++ } else { ++ proto_tree_add_item(subtree, hf_gssapi_auth_verifier, gss_tvb, offset, -1, ENC_NA); ++ return_offset = tvb_captured_length(gss_tvb); ++ } ++ } else { + handle = oidvalue->handle; +- len = call_dissector_with_data(handle, oid_tvb_local, pinfo, subtree, encrypt_info); +- if (len == 0) +- return_offset = tvb_captured_length(gss_tvb); +- else +- return_offset = start_offset + len; ++ if (handle != NULL) { ++ oid_tvb_local = tvb_new_subset_remaining(gss_tvb, start_offset); ++ len = call_dissector_with_data(handle, oid_tvb_local, pinfo, subtree, encrypt_info); ++ if (len == 0) ++ return_offset = tvb_captured_length(gss_tvb); ++ else ++ return_offset = start_offset + len; ++ } else { ++ proto_tree_add_item(subtree, hf_gssapi_auth_credentials, gss_tvb, offset, -1, ENC_NA); ++ return_offset = tvb_captured_length(gss_tvb); ++ } ++ } ++ + goto done; /* We are finished here */ + } + } diff --git a/CVE-2019-10895.patch b/CVE-2019-10895.patch new file mode 100644 index 0000000..e7a5e50 --- /dev/null +++ b/CVE-2019-10895.patch @@ -0,0 +1,67 @@ +From 2fbbde780e5d5d82e31dca656217daf278cf62bb Mon Sep 17 00:00:00 2001 +From: Dario Lombardo +Date: Tue, 5 Mar 2019 17:25:24 +0100 +Subject: [PATCH] netscaler: add more sanity checks. + +Fix more crashes found in the provided bug report. + +Bug: 15497 +Change-Id: If84498fa879ad56c8677f8c1442a8dc0e5906003 +Reviewed-on: https://code.wireshark.org/review/32333 +Petri-Dish: Dario Lombardo +Tested-by: Petri Dish Buildbot +Reviewed-by: Anders Broman +(cherry picked from commit 134a513dd59315d67866f238459fdee6347f1055) +Reviewed-on: https://code.wireshark.org/review/32422 +(cherry picked from commit fc8367a50516e832be960a9001ccdb09ced9b27f) +Reviewed-on: https://code.wireshark.org/review/32430 +Reviewed-by: Guy Harris +--- + wiretap/netscaler.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/wiretap/netscaler.c b/wiretap/netscaler.c +index c88c082..fc350e2 100644 +--- a/wiretap/netscaler.c ++++ b/wiretap/netscaler.c +@@ -653,6 +653,20 @@ static gboolean nstrace_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr, + #define GET_READ_PAGE_SIZE(remaining_file_size) ((gint32)((remaining_file_size>NSPR_PAGESIZE)?NSPR_PAGESIZE:remaining_file_size)) + #define GET_READ_PAGE_SIZEV3(remaining_file_size) ((gint32)((remaining_file_size>NSPR_PAGESIZE_TRACE)?NSPR_PAGESIZE_TRACE:remaining_file_size)) + ++/* ++ * Check whether we have enough room to retrieve the data in the caller. ++ * If not, we have a malformed file. ++ */ ++static gboolean nstrace_ensure_buflen(nstrace_t* nstrace, guint offset, guint len, int *err, gchar** err_info) ++{ ++ if (offset > nstrace->nstrace_buflen || nstrace->nstrace_buflen - offset < len) { ++ *err = WTAP_ERR_BAD_FILE; ++ *err_info = g_strdup("nstrace: malformed file"); ++ return FALSE; ++ } ++ return TRUE; ++} ++ + static guint64 ns_hrtime2nsec(guint32 tm) + { + guint32 val = tm & NSPR_HRTIME_MASKTM; +@@ -940,6 +940,8 @@ nspm_signature_version(wtap *wth, gchar *nstrace_buf, gint32 len) + switch (nspr_getv##ver##recordtype(fp))\ + {\ + case NSPR_ABSTIME_V##ver:\ ++ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_abstime_v##ver##_t), err, err_info))\ ++ return FALSE;\ + ns_setabstime(nstrace, pletoh32(&((nspr_abstime_v##ver##_t *) fp)->abs_Time), pletoh16(&((nspr_abstime_v##ver##_t *) fp)->abs_RelTime));\ + nstrace->nstrace_buf_offset = nstrace_buf_offset + nspr_getv##ver##recordsize(fp);\ + nstrace->nstrace_buflen = nstrace_buflen;\ +@@ -1330,6 +1332,8 @@ static gboolean nstrace_read_v20(wtap *wth, int *err, gchar **err_info, gint64 * + + case NSPR_RELTIME_V20: + { ++ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_hd_v20_t), err, err_info)) ++ return FALSE; + nspr_pktracefull_v20_t *fp20 = (nspr_pktracefull_v20_t *) &nstrace_buf[nstrace_buf_offset]; + if (nspr_getv20recordsize((nspr_hd_v20_t *)fp20) == 0) { + *err = WTAP_ERR_BAD_FILE; +-- +2.7.4 diff --git a/CVE-2019-10896.patch b/CVE-2019-10896.patch new file mode 100644 index 0000000..c92c858 --- /dev/null +++ b/CVE-2019-10896.patch @@ -0,0 +1,44 @@ +From 651cd91b16b01e3da698b04542da376d946bc54b Mon Sep 17 00:00:00 2001 +From: Gerald Combs +Date: Wed, 3 Apr 2019 09:41:36 -0700 +Subject: [PATCH] DOF: Fix alias binding dissection. + +When adding generated IID and OID bytes to the tree, use a zero offset +and length like we do elsewhere in the dissector. + +Bug: 15617 +Change-Id: Id900f2aeeef7926706b417622d452ffa72949e8a +(cherry picked from commit ecf03bb37b3345e684890f7eee031cb17a247939) +Reviewed-on: https://code.wireshark.org/review/32723 +Reviewed-by: Gerald Combs +--- + epan/dissectors/packet-dof.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/epan/dissectors/packet-dof.c b/epan/dissectors/packet-dof.c +index 2663eed..9770deb 100644 +--- a/epan/dissectors/packet-dof.c ++++ b/epan/dissectors/packet-dof.c +@@ -1379,16 +1379,17 @@ static int oap_1_tree_add_alias(dof_api_data *api_data, oap_1_packet_data *oap_p + key.sender = packet->sender_id; + key.alias = alias; + binding = oap_1_resolve_alias(&key); ++ + if (binding) + { + options_tree = proto_item_add_subtree(ti, ett_oap_1_alias); + + /* Decode the Interface */ +- ti = proto_tree_add_bytes_format_value(tree, hf_oap_1_interfaceid, tvb, offset, alias_length, binding->iid, "%s", dof_iid_create_standard_string(binding->iid_length, binding->iid)); ++ ti = proto_tree_add_bytes_format_value(tree, hf_oap_1_interfaceid, tvb, 0, 0, binding->iid, "%s", dof_iid_create_standard_string(binding->iid_length, binding->iid)); + PROTO_ITEM_SET_GENERATED(ti); + + /* Decode the Object ID */ +- ti = proto_tree_add_bytes_format_value(tree, hf_oap_1_objectid, tvb, offset, alias_length, binding->oid, "%s", dof_oid_create_standard_string(binding->oid_length, binding->oid)); ++ ti = proto_tree_add_bytes_format_value(tree, hf_oap_1_objectid, tvb, 0, 0, binding->oid, "%s", dof_oid_create_standard_string(binding->oid_length, binding->oid)); + PROTO_ITEM_SET_GENERATED(ti); + + proto_tree_add_uint_format(options_tree, hf_oap_1_alias_frame, +-- +2.7.4 + diff --git a/CVE-2019-10899.patch b/CVE-2019-10899.patch new file mode 100644 index 0000000..1523156 --- /dev/null +++ b/CVE-2019-10899.patch @@ -0,0 +1,39 @@ +From f43ac1291b80bbccdd1ef3e6118f72e08dc8beac Mon Sep 17 00:00:00 2001 +From: Dario Lombardo +Date: Fri, 1 Mar 2019 11:18:53 +0100 +Subject: [PATCH] srvloc: check buffer index to prevent heap overflow. + +Bug: 15546 +Change-Id: I35eee1f6e1127db74339ec7218d7681bd93de59c +Reviewed-on: https://code.wireshark.org/review/32285 +Petri-Dish: Alexis La Goutte +Tested-by: Petri Dish Buildbot +Reviewed-by: Anders Broman +(cherry picked from commit 8f15ebed65ceea5c856fce055b5d83fb0c4b597b) +Reviewed-on: https://code.wireshark.org/review/32340 +Petri-Dish: Dario Lombardo +Reviewed-by: Dario Lombardo +--- + epan/dissectors/packet-srvloc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/epan/dissectors/packet-srvloc.c b/epan/dissectors/packet-srvloc.c +index 629ca78..d0ecf88 100644 +--- a/epan/dissectors/packet-srvloc.c ++++ b/epan/dissectors/packet-srvloc.c +@@ -444,9 +444,13 @@ unicode_to_bytes(tvbuff_t *tvb, int offset, int length, gboolean endianness) + for (i = length; i > 0; i--) { + c_char = ascii_text[i]; + if (c_char != 0) { ++ if (i == 0) ++ break; + i--; + c_char1 = ascii_text[i]; + if (c_char1 == 0) { ++ if (i == 0) ++ break; + i--; + c_char1 = ascii_text[i]; + } +-- +2.7.4 diff --git a/CVE-2019-10901.patch b/CVE-2019-10901.patch new file mode 100644 index 0000000..d39a506 --- /dev/null +++ b/CVE-2019-10901.patch @@ -0,0 +1,90 @@ +From 6c3467945cd9bf1242a2dcd4a8fbff32b885391e Mon Sep 17 00:00:00 2001 +From: Dario Lombardo +Date: Wed, 3 Apr 2019 09:10:38 +0200 +Subject: [PATCH] ldss: add checks on file digest. + +Bug: 15620 +Change-Id: I600c262f42414dd50c0cf4c1230acfb2a8042212 +Reviewed-on: https://code.wireshark.org/review/32520 +Petri-Dish: Dario Lombardo +Tested-by: Petri Dish Buildbot +Reviewed-by: Gerald Combs +--- + epan/dissectors/packet-ldss.c | 19 +++---------------- + 1 file changed, 3 insertions(+), 16 deletions(-) + +diff --git a/epan/dissectors/packet-ldss.c b/epan/dissectors/packet-ldss.c +index 861fccd..68e6e54 100644 +--- a/epan/dissectors/packet-ldss.c ++++ b/epan/dissectors/packet-ldss.c +@@ -466,13 +466,10 @@ dissect_ldss_transfer (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void + * Compression: 0 + * (remote end sends the file identified by the digest) */ + guint offset = 0; +- gboolean already_dissected = TRUE; + + col_set_str(pinfo->cinfo, COL_INFO, "LDSS File Transfer (Requesting file - pull)"); + + if (transfer_info->req == NULL) { +- +- already_dissected = FALSE; + transfer_info->req = wmem_new0(wmem_file_scope(), ldss_file_request_t); + transfer_info->req->file = wmem_new0(wmem_file_scope(), ldss_file_t); + } +@@ -490,8 +487,7 @@ dissect_ldss_transfer (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void + gint next_offset; + const guint8 *line; + int linelen; +- gboolean is_digest_line; +- guint digest_type_len; ++ guint digest_type_len = 0; + + linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); + +@@ -502,28 +498,19 @@ dissect_ldss_transfer (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void + ett_ldss_transfer_req, NULL, + tvb_format_text(tvb, offset, next_offset-offset)); + +- /* Reduce code duplication processing digest lines. +- * There are too many locals to pass to a function - the signature +- * looked pretty ugly when I tried! */ +- is_digest_line = FALSE; +- + if (strncmp(line,"md5:",4)==0) { +- is_digest_line = TRUE; + digest_type_len = 4; + transfer_info->file->digest_type = DIGEST_TYPE_MD5; + } + else if (strncmp(line, "sha1:", 5)==0) { +- is_digest_line = TRUE; + digest_type_len = 5; + transfer_info->file->digest_type = DIGEST_TYPE_SHA1; + } + else if (strncmp(line, "sha256:", 7)==0) { +- is_digest_line = TRUE; + digest_type_len = 7; + transfer_info->file->digest_type = DIGEST_TYPE_SHA256; + } + else if (strncmp(line, "unknown:", 8)==0) { +- is_digest_line = TRUE; + digest_type_len = 8; + transfer_info->file->digest_type = DIGEST_TYPE_UNKNOWN; + } +@@ -555,12 +542,12 @@ dissect_ldss_transfer (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void + proto_tree_add_expert(line_tree, pinfo, &ei_ldss_unrecognized_line, tvb, offset, linelen); + } + +- if (is_digest_line) { ++ if (digest_type_len > 0) { + proto_item *tii = NULL; + + /* Sample digest-type/digest line: + * md5:0123456789ABCDEF\n */ +- if (!already_dissected) { ++ if (!transfer_info->file->digest) { + GByteArray *digest_bytes; + + digest_bytes = g_byte_array_new(); +-- +2.7.4 + diff --git a/CVE-2019-10903.patch b/CVE-2019-10903.patch new file mode 100644 index 0000000..56f5c73 --- /dev/null +++ b/CVE-2019-10903.patch @@ -0,0 +1,56 @@ +From 5aba3ed0cdebc1ec960261e3e9eda87c8408259f Mon Sep 17 00:00:00 2001 +From: Dario Lombardo +Date: Sun, 17 Mar 2019 00:47:02 +0100 +Subject: [PATCH] dcerpc: ensure the length in the packet doesn't overcome the + boundaries. + +The spoolss dissector creates a new source using the length from the packet +data. If it overcomes the ends of the packet we hit a crash. In this case +add an expert info and stop the dissection + +Bug: 15568 +Change-Id: Idfb0b54c1f41842170d3d03c80897a3b7edc9400 +Reviewed-on: https://code.wireshark.org/review/32449 +Petri-Dish: Anders Broman +Tested-by: Petri Dish Buildbot +Reviewed-by: Anders Broman +--- + epan/dissectors/packet-dcerpc-spoolss.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/epan/dissectors/packet-dcerpc-spoolss.c b/epan/dissectors/packet-dcerpc-spoolss.c +index 2bf8cc8..46b3d34 100644 +--- a/epan/dissectors/packet-dcerpc-spoolss.c ++++ b/epan/dissectors/packet-dcerpc-spoolss.c +@@ -315,6 +315,7 @@ static expert_field ei_driver_info_level = EI_INIT; + static expert_field ei_level = EI_INIT; + static expert_field ei_notify_info_data_type = EI_INIT; + static expert_field ei_enumprinterdataex_value = EI_INIT; ++static expert_field ei_buffer_size_too_long = EI_INIT; + + /* Registry data types */ + +@@ -441,6 +442,13 @@ dissect_spoolss_buffer_data(tvbuff_t *tvb, int offset, packet_info *pinfo, + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, + hf_buffer_size, &size); + ++ /* Before going any further, we must ensure the bytes ++ actually esist in the tvb */ ++ if ((guint32)tvb_reported_length_remaining(tvb, offset) < size) { ++ expert_add_info(pinfo, tree, &ei_buffer_size_too_long); ++ return offset; ++ } ++ + offset = dissect_ndr_uint8s(tvb, offset, pinfo, NULL, di, drep, + hf_buffer_data, size, &data); + +@@ -8315,6 +8323,7 @@ proto_register_dcerpc_spoolss(void) + { &ei_level, { "spoolss.level.unknown", PI_PROTOCOL, PI_WARN, "Info level unknown", EXPFILL }}, + { &ei_notify_info_data_type, { "spoolss.notify_info_data.type.unknown", PI_PROTOCOL, PI_WARN, "Unknown notify type", EXPFILL }}, + { &ei_enumprinterdataex_value, { "spoolss.enumprinterdataex.val_unknown", PI_PROTOCOL, PI_WARN, "Unknown value type", EXPFILL }}, ++ { &ei_buffer_size_too_long, { "spoolss.buffer.size.invalid", PI_PROTOCOL, PI_ERROR, "Buffer size too long", EXPFILL }}, + }; + + expert_module_t* expert_dcerpc_spoolss; +-- +2.7.4 diff --git a/wireshark.spec b/wireshark.spec index 3e45d34..418f31d 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -1,6 +1,6 @@ Name: wireshark Version: 2.6.2 -Release: 3 +Release: 4 Epoch: 1 Summary: Network traffic analyzer License: GPL+ @@ -32,6 +32,12 @@ Patch6012: wireshark-CVE-2018-19628.patch Patch6013: wireshark-CVE-2019-9208.patch Patch6014: wireshark-CVE-2019-9209.patch Patch6015: wireshark-CVE-2019-5718.patch +Patch6016: CVE-2019-10894.patch +Patch6017: CVE-2019-10896.patch +Patch6018: CVE-2019-10899.patch +Patch6019: CVE-2019-10901.patch +Patch6020: CVE-2019-10903.patch +Patch6021: CVE-2019-10895.patch Requires(pre): shadow-utils Requires(post): systemd-udev @@ -140,6 +146,12 @@ getent group usbmon >/dev/null || groupadd -r usbmon %{_mandir}/man?/* %changelog +* Wed Dec 25 2019 gulining - 2.6.2-4 +- Type:cves +- ID: CVE-2019-10894 CVE-2019-10896 CVE-2019-10899 CVE-2019-10901 CVE-2019-10903 CVE-2019-10895 +- SUG:restart +- DESC: fix CVE-2019-10894 CVE-2019-10896 CVE-2019-10899 CVE-2019-10901 CVE-2019-10903 CVE-2019-10895 + * Mon Nov 25 2019 gulining - 2.6.2-3 - revise obsoletes -- Gitee